Do lightweight themes have to go through the same review process as full ones and normal add-ons?

I asked a question here about this, however I did not really get a full answer there and was pointed towards this site. So does Mozilla put lightweight themes through the same, or at least similar, review process to that of full themes and normal add-ons? Or are there at least any checks for malicious code before the publishing of a lightweight theme?

If there are not, then this should be made clear, and perhaps there should be some sorts of checks, even if that’s scanning the images with a service like VirusTotal or some sort of heuristics- and signature-based malware detection platform.

Lightweight themes go through a different review process and are in a different queue than complete themes and extensions.

Lightweight themes cannot contain any code at all. It’s just images.

So they are not checked for anything malicious as images can contain malicious code which normally exploits something in the image handler? You won’t believe the amount of phishing scripts I’ve got from images going into my cache… In fact images are currently the most popular, and one of the most affective ways of transmitting malware… So I hope that I can get some assurance that the images are just images, and there’s nothing more to them.

I’m sure the security team around @dveditz has checked this scenario for lightweight themes.

Given the size limitations it would be rather hard I’d think. 3000px by 200px, PNG or JPG and 300KB or smaller. You’d have to write some pretty tight malware to fit. The footer is 100px instead of 200px, but otherwise the same requirements.

It may be hard and unlikely, however it is still possible, so are you telling me that there are no malware checks of any kind on these images due to the unlikely hood of any malware being there? Because if the image is so small, then the checks should be small too and minimal, however, there still should be some checks, just in case.

I can’t find any jpg or png exploits since July 2005, but I may just be getting weird results. Is there something Mozilla needs to worry about?

Well, I don’t know of any new specific exploits that Mozilla doesn’t know about, however, I still think that if it’s possible, it should be checked, and if the images really are so small then it shouldn’t be such a big deal to check.

Both exploits are over a decade old, have been patched, and neither were found in the wild before being exploited. Meaning, if there ever is another one found then Mozilla can scan for the issue until a patch is created for it, until then, it’s undue load.

Images (by themselves) are a terrible way to transmit malware. In the 1990s image handling code used stack buffers, and a stack buffer overflow could change program execution with data from the image. In that environment a standalone image could lead to an exploit.

These days we use allocated heap buffers, and a wild heap buffer overflow will have unpredictable results. It takes a lot of script execution to prepare the memory state so that a heap corruption bug can be a reliable exploit (especially with modern compiler and OS exploit mitigations), and lightweight themes have no scripts. In addition, the image formats we use are stable and well tested. They are old formats and security researchers have been beating on them for years.

If a lightweight theme passes review you don’t need to worry about them.

We do run virus scans on our download servers. Mostly it’s for the add-ons and Firefox itself (just in case!), but if by some chance someone includes a malicious image that doesn’t affect the reviewer but is still a latent exploit then it should be caught in that pass.

2 Likes

Ok, I am glad to hear that there are some security checks performed on the images before they are published.

Thank you @dveditz for the detailed explanation!